CN108566377A - A kind of attack evidence collecting method, device and storage medium - Google Patents

A kind of attack evidence collecting method, device and storage medium Download PDF

Info

Publication number
CN108566377A
CN108566377A CN201810209294.7A CN201810209294A CN108566377A CN 108566377 A CN108566377 A CN 108566377A CN 201810209294 A CN201810209294 A CN 201810209294A CN 108566377 A CN108566377 A CN 108566377A
Authority
CN
China
Prior art keywords
evidence
attack
original
information flow
evidence obtaining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810209294.7A
Other languages
Chinese (zh)
Inventor
胡波
于运涛
石韬
王晔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electronics Harvest Technology Co Ltd
Original Assignee
China Electronics Harvest Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electronics Harvest Technology Co Ltd filed Critical China Electronics Harvest Technology Co Ltd
Priority to CN201810209294.7A priority Critical patent/CN108566377A/en
Publication of CN108566377A publication Critical patent/CN108566377A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks

Abstract

The invention discloses a kind of attack evidence collecting method, device and storage mediums, can realize attack backtracking.The method includes:After detecting attack, judges pre-set evidence obtaining strategy, collected evidence to original aggressor information flow according to evidence obtaining strategy, the original aggressor information flow includes one or more original aggressor messages of the attack.Using the embodiment of the present invention, whole evidence obtainings are carried out to one or more original aggressor messages of an attack.Compared to the conventional summary info for only recording attack, can more trace to the source for subsequent attack, hacker's portrait provides strong evidence.

Description

A kind of attack evidence collecting method, device and storage medium
Technical field
The present invention relates to technical field of network security, espespecially a kind of attack evidence collecting method, device and storage medium.
Background technology
The event at gateway device end, the attack of generation at present, such as intrusion detection event, virus event, DDOS attack Event etc., mainly extracts the summary info of its event, and summary info includes event id, attack source IP, attack destination IP etc., But these summary infos cannot be satisfied the movable requirements such as later stage attack is traced to the source, hacker draws a portrait.
Invention content
In order to solve the above technical problem, the present invention provides a kind of attack evidence collecting method, device and storage medium, It can realize attack backtracking.
In order to reach the object of the invention, the present invention provides a kind of attack evidence collecting method, the method includes:
After detecting attack, judges pre-set evidence obtaining strategy, original aggressor is believed according to evidence obtaining strategy Breath stream is collected evidence, and the original aggressor information flow includes one or more original aggressor messages of the attack.
Further, the evidence obtaining strategy includes:It is locally stored;Alternatively, being forwarded to default firewall image mouth;Alternatively, It is locally stored and is forwarded to default firewall image mouth.
Further, the pre-set evidence obtaining strategy includes being locally stored, described tactful to original according to the evidence obtaining Beginning attack information flow is collected evidence, including:
Replicating original attacks information flow, and construction process specificity analysis software package pcap messages make original aggressor information flow For the content of pcap messages, and the pcap messages are named using naming rule is preset.
Further, the default naming rule is:
Include attack type and event identifier in the pcap message names;Alternatively,
Include attack type, event identifier and source IP address in the pcap message names;Alternatively,
Include attack type, event identifier and purpose IP address in the pcap message names;Alternatively,
Include attack type, event identifier, source IP address and purpose IP address in the pcap message names.
Further, the pre-set evidence obtaining strategy includes being forwarded to default firewall image mouth, described according to institute Evidence obtaining strategy is stated to collect evidence to original aggressor information flow, including:
Replicating original attacks information flow, and message encapsulation, the original after message is encapsulated are carried out to the original aggressor information flow Begin to attack information stream to the default firewall image mouth.
In order to reach the object of the invention, the present invention also provides a kind of attack apparatus for obtaining evidence, described device includes inspection Survey module and evidence obtaining module, wherein
The detection module judges pre-set evidence obtaining strategy after detecting attack;
The evidence obtaining module, it is described original to attack for being collected evidence to original aggressor information flow according to evidence obtaining strategy Hit one or more original aggressor messages that information flow includes the attack.
Further, the evidence obtaining strategy includes:It is locally stored;Alternatively, being forwarded to default firewall image mouth;Alternatively, It is locally stored and is forwarded to default firewall image mouth.
Further, the pre-set evidence obtaining strategy includes being locally stored, and the evidence obtaining module is according to the evidence obtaining Strategy collects evidence to original aggressor information flow, including:
The evidence obtaining module replicating original attacks information flow, and construction process specificity analysis software package pcap messages will be original Content of the information flow as pcap messages is attacked, and the pcap messages are named using naming rule is preset.
Further, the pre-set evidence obtaining strategy includes being forwarded to default firewall image mouth, the evidence obtaining mould Root tuber collects evidence to original aggressor information flow according to evidence obtaining strategy, including:
The evidence obtaining module replicating original attacks information flow, carries out message encapsulation to the original aggressor information flow, will report Original aggressor information stream after text encapsulation is to the default firewall image mouth.
In order to reach the object of the invention, the present invention also provides a kind of computer readable storage mediums, are stored thereon with meter Calculation machine program, when described program is executed by processor the step of the realization above method.
Compared with prior art, the present invention includes judging pre-set evidence obtaining strategy after detecting attack, according to The evidence obtaining strategy collects evidence to original aggressor information flow, and the original aggressor information flow includes one of the attack Or multiple original aggressor messages.Whole evidence obtainings are carried out to one or more original aggressor messages of an attack, compared to conventional Only record attack summary info, more can be it is subsequent attack trace to the source, hacker draw a portrait strong evidence is provided.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification It obtains it is clear that understand through the implementation of the invention.The purpose of the present invention and other advantages can be by specification, rights Specifically noted structure is realized and is obtained in claim and attached drawing.
Description of the drawings
Attached drawing is used for providing further understanding technical solution of the present invention, and a part for constitution instruction, with this The embodiment of application technical solution for explaining the present invention together, does not constitute the limitation to technical solution of the present invention.
Fig. 1 is the flow chart of the attack evidence collecting method of the embodiment of the present invention one;
Fig. 2 is another flow chart of the attack evidence collecting method of the embodiment of the present invention two;
Fig. 3 is the structural schematic diagram of the attack apparatus for obtaining evidence of the embodiment of the present invention three.
Specific implementation mode
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention Embodiment be described in detail.It should be noted that in the absence of conflict, in the embodiment and embodiment in the application Feature mutually can arbitrarily combine.
Step shown in the flowchart of the accompanying drawings can be in the computer system of such as a group of computer-executable instructions It executes.Also, although logical order is shown in flow charts, and it in some cases, can be with suitable different from herein Sequence executes shown or described step.
Embodiment one
The present embodiment provides a kind of attack evidence collecting methods, as shown in Figure 1, including S11-S12:
S11, after detecting attack, judge pre-set evidence obtaining strategy;
S12, it is collected evidence to original aggressor information flow according to evidence obtaining strategy, the original aggressor information flow includes described attacks Hit one or more original aggressor messages of event.
In the embodiment of the present invention, the one or more referred to an attack of collecting evidence is carried out to original aggressor information flow Original aggressor message carries out whole evidence obtainings.More can be subsequent attack compared to the conventional summary info for only recording attack It traces to the source, hacker draws a portrait and provides strong evidence.
Evidence obtaining strategy include:
It is locally stored;Alternatively, being forwarded to default firewall image mouth;Alternatively, being locally stored and being forwarded to default fire wall Mirror port.It is locally stored and local pcap (process characteristic analysis software package) storages may be used, other message lattice can also be used Formula stores, as long as attack backtracking can be carried out.The attack information flow for most original of collecting evidence, the method stored using pcap, in case Message plays back, and using the method for being forwarded to default firewall image mouth, can show attack in time.
Depending on specifically can be according to firewall box using any evidence obtaining strategy, for example, such as firewall box carry There is hard disk, then evidence obtaining strategy can be set to be locally stored, if it is considered that redundancy, can be arranged evidence obtaining strategy to be locally stored and turning It is sent to default firewall image mouth.
It is described according to evidence obtaining strategy if pre-set evidence obtaining strategy includes being locally stored in an alternative embodiment It collects evidence to original aggressor information flow, including:
Replicating original attacks information flow, constructs pcap messages, using original aggressor information flow as the content of pcap messages, and Pcap messages are named using default naming rule.
Default naming rule can be:Include attack type and event identifier in pcap message names.Above-mentioned name The essence of rule is to be grouped classification to attack, and pcap file names is enable to embody the summary info of attack, Do not make overall pcap quantity of documents too huge again simultaneously, is convenient for follow-up fast search attack type and attack.
Optionally, can also include source IP address and/or purpose IP address in pcap message names.The i.e. described default name Rule can also be:Include attack type, event identifier and source IP address in pcap message names;Alternatively, pcap is reported Literary fame includes attack type, event identifier and purpose IP address in claiming;Alternatively, including attack thing in pcap message names Part type, event identifier, source IP address and purpose IP address.The element in title is increased, although pcap message amount meetings Increase, but can be achieved on the classification more refined.
It, can also be with reference to the evidence collecting method and life of above-mentioned pcap messages if be locally stored using other message formats Name rule is realized.
In another alternative embodiment, if pre-set evidence obtaining strategy includes being forwarded to default firewall image Mouthful, it is described to be collected evidence to original aggressor information flow according to evidence obtaining strategy, including:
Replicating original attacks information flow, carries out message encapsulation to original aggressor information flow, original after message is encapsulated is attacked Information stream is hit to default firewall image mouth.
Firewall image mouth, which can access, to show the equipment of attack in real time, such as be directly connected to computer and set It is standby, or computer equipment is connected by interchanger.
In the embodiment of the present invention, after detecting attack, pre-set evidence obtaining strategy is judged, according to the evidence obtaining plan It slightly collects evidence to original aggressor information flow, by original aggressor information flow being locally stored or being forwarded to fire wall mirror As mouth, compared to the summary info for only recording attack of routine, can more trace to the source for subsequent attack, hacker's portrait provides effectively Evidence.
Embodiment two
Above-described embodiment method is specifically described in the present embodiment, as shown in Fig. 2, including the following steps:
Step S21 carries out application-level flow recombination, the big message after being recombinated to attack message;
By the flow of fire wall, the stream reorganization operation based on application can be carried out first, based on different applications, using not Same recombination strategy, such as STMP (Simple Mail Transfer protocol), single message flow can be cached, parse mail and attachment Content.
Step S22, detection module detect attack;
Detection module includes multiple, the various attacks for finding message flow, such as multiple detection modules difference For performing intrusion detection, DDOS (distributed denial of service) attacks, the attacks such as virus, wooden horse detection, each module Carry out a kind of detection of attack;It was found that after attack, daily record will produce first, then taken according to whether user is configured with Card strategy, it is determined whether carry out attack evidence obtaining operation.
Step S23, judge evidence obtaining strategy, if user configuration attack evidence obtaining, judged such as according to evidence obtaining strategy What is collected evidence, if evidence obtaining strategy thens follow the steps S25 to be locally stored;If evidence obtaining strategy is to be forwarded to default fire prevention Wall mirror port, thens follow the steps S24;If evidence obtaining strategy is is locally stored and is forwarded to default firewall image mouth, simultaneously Execute step S24, S25;
Step S24 copies original aggressor information flow, is forwarded to default firewall image mouth;
Original aggressor information flow after copy is sent to default fire wall mirror interface, is needed first of all for convenient for forwarding Message encapsulation is carried out to original aggressor information flow, such as is transmitted the message encapsulation of layer, IP layers and data link layer, then will Original aggressor information flow after message encapsulation is sent to specified firewall image mouth;Can be with one under the evidence obtaining scene Laptop accesses the mirror port of fire wall, for intercepting attack message, can also connect computer equipment with interchanger It is intercepted.
Wherein, the original aggressor information flow includes one or more original aggressor messages of the attack.
Step S25 copies original aggressor information flow, constructs pcap messages, including:Construct pcap message format headers Body, and using original aggressor information flow as the content of pcap messages;
The present embodiment is stored using local pcap, other message formats can also be used to store, as long as can attack back It traces back.The attack information flow for most original of collecting evidence, the method stored using pcap, in case message plays back, it is default using being forwarded to The method of firewall image mouth can show attack in time;
Wherein, the original aggressor information flow includes one or more original aggressor messages of the attack.
Step S26 names the pcap messages;
The pcap messages are named according to default naming rule.Usual fire wall is as gateway or export enterprise, attack The quantity of event is larger;The problem of pcap filenames for how naming attack are substantially to attack event packets classification.Always Body principle is so that pcap file names is embodied attack summary info, while cannot make overall pcap quantity of documents too huge again Greatly;In the embodiment of the present application, fire wall is deployed in the gateway of big flow, therefore the command mode used is:Pcap message names Include attack type and event identifier in title.Optionally, the scene specifically disposed according to fire wall may be used also in message name To include source IP address and/or purpose IP address, for example, if fire wall is deployed in server front end, it can in message name Including destination IP.The attack pcap files stored by the naming method, when follow-up audit, the attack that can quickly search for The key messages such as type, attack, attack source, attack purpose.
Fire wall file system is written in step S27;
What it is due to the storage of pcap files is the raw informations such as attack load, is required to memory space, it usually needs anti- Carry hard disk inside wall with flues.
Embodiment three
A kind of attack apparatus for obtaining evidence is present embodiments provided, this implementation is also applied for described in above method embodiment In example, shown in Fig. 3, which includes detection module 31 and evidence obtaining module 32, wherein
Detection module 31 judges pre-set evidence obtaining strategy after detecting attack;
Evidence obtaining module 32, for being collected evidence to original aggressor information flow according to evidence obtaining strategy, original aggressor information flow packet Include one or more original aggressor messages of attack.
The attack apparatus for obtaining evidence can be disposed on gateway, can also be deployed in the equipment such as fire wall.
Evidence obtaining strategy include:It is locally stored;Alternatively, being forwarded to default firewall image mouth;Alternatively, being locally stored and forwarding To default firewall image mouth.
In one alternate embodiment, pre-set evidence obtaining strategy includes being locally stored, and evidence obtaining module 32 is according to evidence obtaining Strategy collects evidence to original aggressor information flow, including:
32 replicating original of module of collecting evidence attacks information flow, and construction process specificity analysis software package pcap messages are attacked original Content of the information flow as pcap messages is hit, and pcap messages are named using naming rule is preset.
In one alternate embodiment, pre-set evidence obtaining strategy includes being forwarded to default firewall image mouth, is collected evidence Module 32 collects evidence to original aggressor information flow according to evidence obtaining strategy, including:
32 replicating original of module of collecting evidence attacks information flow, carries out message encapsulation to original aggressor information flow, message is encapsulated Original aggressor information stream afterwards is to default firewall image mouth.
The embodiment of the present invention also provides a kind of computer storage media, and the computer storage media is stored with computer journey Sequence;After the computer program is performed, the attack evidence collecting method that previous embodiment provides can be realized, for example, executing as schemed 1, one or more of method shown in Fig. 2.The computer storage media is included in that (such as computer can for storing information Reading instruction, data structure, program module or other data) any method or technique in implement volatile and non-volatile, Removable and nonremovable medium.Computer storage media includes but not limited to RAM, ROM, EEPROM, flash memory or other storages Device technology, CD-ROM, digital versatile disc (DVD) or other optical disc storages, magnetic holder, tape, disk storage or other magnetic storages Device or any other medium that can be used for storing desired information and can be accessed by a computer.
Although disclosed herein embodiment it is as above, the content only for ease of understanding the present invention and use Embodiment is not limited to the present invention.Technical staff in any fields of the present invention is taken off not departing from the present invention Under the premise of the spirit and scope of dew, any modification and variation, but the present invention can be carried out in the form and details of implementation Scope of patent protection, still should be subject to the scope of the claims as defined in the appended claims.

Claims (10)

1. a kind of attack evidence collecting method, which is characterized in that the method includes:
After detecting attack, pre-set evidence obtaining strategy is judged, according to evidence obtaining strategy to original aggressor information flow It collects evidence, the original aggressor information flow includes one or more original aggressor messages of the attack.
2. attack evidence collecting method according to claim 1, which is characterized in that
The evidence obtaining strategy includes:It is locally stored;Alternatively, being forwarded to default firewall image mouth;Alternatively, being locally stored and forwarding To default firewall image mouth.
3. attack evidence collecting method according to claim 2, which is characterized in that
The pre-set evidence obtaining strategy includes being locally stored, described to be flowed into original aggressor information according to evidence obtaining strategy Row evidence obtaining, including:
Replicating original attack information flow, construction process specificity analysis software package pcap messages, using original aggressor information flow as The content of pcap messages, and name the pcap messages using naming rule is preset.
4. attack evidence collecting method according to claim 3, which is characterized in that
The default naming rule is:
Include attack type and event identifier in the pcap message names;Alternatively,
Include attack type, event identifier and source IP address in the pcap message names;Alternatively,
Include attack type, event identifier and purpose IP address in the pcap message names;Alternatively,
Include attack type, event identifier, source IP address and purpose IP address in the pcap message names.
5. attack evidence collecting method according to claim 2 or 3, which is characterized in that
The pre-set evidence obtaining strategy includes being forwarded to default firewall image mouth, described tactful to original according to the evidence obtaining Beginning attack information flow is collected evidence, including:
Replicating original attacks information flow, carries out message encapsulation to the original aggressor information flow, original after message is encapsulated is attacked Information stream is hit to the default firewall image mouth.
6. a kind of attack apparatus for obtaining evidence, which is characterized in that described device includes detection module and evidence obtaining module, wherein
The detection module judges pre-set evidence obtaining strategy after detecting attack;
The evidence obtaining module, for being collected evidence to original aggressor information flow according to evidence obtaining strategy, the original aggressor letter Breath stream includes one or more original aggressor messages of the attack.
7. attack apparatus for obtaining evidence according to claim 6, which is characterized in that
The evidence obtaining strategy includes:It is locally stored;Alternatively, being forwarded to default firewall image mouth;Alternatively, being locally stored and forwarding To default firewall image mouth.
8. attack apparatus for obtaining evidence according to claim 7, which is characterized in that
The pre-set evidence obtaining strategy includes being locally stored, and the evidence obtaining module is according to evidence obtaining strategy to original aggressor Information flow is collected evidence, including:
The evidence obtaining module replicating original attacks information flow, construction process specificity analysis software package pcap messages, by original aggressor Content of the information flow as pcap messages, and name the pcap messages using naming rule is preset.
9. attack apparatus for obtaining evidence according to claim 7 or 8, which is characterized in that
The pre-set evidence obtaining strategy includes being forwarded to default firewall image mouth, and the evidence obtaining module is according to the evidence obtaining Strategy collects evidence to original aggressor information flow, including:
The evidence obtaining module replicating original attacks information flow, carries out message encapsulation to the original aggressor information flow, message is sealed Original aggressor information stream after dress is to the default firewall image mouth.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that described program is handled The step of any claim the method in claim 1-5 is realized when device executes.
CN201810209294.7A 2018-03-14 2018-03-14 A kind of attack evidence collecting method, device and storage medium Pending CN108566377A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810209294.7A CN108566377A (en) 2018-03-14 2018-03-14 A kind of attack evidence collecting method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810209294.7A CN108566377A (en) 2018-03-14 2018-03-14 A kind of attack evidence collecting method, device and storage medium

Publications (1)

Publication Number Publication Date
CN108566377A true CN108566377A (en) 2018-09-21

Family

ID=63531661

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810209294.7A Pending CN108566377A (en) 2018-03-14 2018-03-14 A kind of attack evidence collecting method, device and storage medium

Country Status (1)

Country Link
CN (1) CN108566377A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110808997A (en) * 2019-11-11 2020-02-18 恒安嘉新(北京)科技股份公司 Method and device for remotely obtaining evidence of server, electronic equipment and storage medium
CN113239383A (en) * 2021-06-01 2021-08-10 北京华赛在线科技有限公司 File transfer processing method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102006290A (en) * 2010-08-12 2011-04-06 清华大学 IP source address tracing method
CN103152352A (en) * 2013-03-15 2013-06-12 北京邮电大学 Perfect information security and forensics monitoring method and system based on cloud computing environment
CN105488400A (en) * 2014-12-13 2016-04-13 哈尔滨安天科技股份有限公司 Comprehensive detection method and system of malicious webpage
CN107612890A (en) * 2017-08-24 2018-01-19 中国科学院信息工程研究所 A kind of network monitoring method and system
US9893882B1 (en) * 2014-12-12 2018-02-13 Juniper Networks, Inc. Apparatus, system, and method for detecting device tampering

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102006290A (en) * 2010-08-12 2011-04-06 清华大学 IP source address tracing method
CN103152352A (en) * 2013-03-15 2013-06-12 北京邮电大学 Perfect information security and forensics monitoring method and system based on cloud computing environment
US9893882B1 (en) * 2014-12-12 2018-02-13 Juniper Networks, Inc. Apparatus, system, and method for detecting device tampering
CN105488400A (en) * 2014-12-13 2016-04-13 哈尔滨安天科技股份有限公司 Comprehensive detection method and system of malicious webpage
CN107612890A (en) * 2017-08-24 2018-01-19 中国科学院信息工程研究所 A kind of network monitoring method and system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110808997A (en) * 2019-11-11 2020-02-18 恒安嘉新(北京)科技股份公司 Method and device for remotely obtaining evidence of server, electronic equipment and storage medium
CN110808997B (en) * 2019-11-11 2021-09-28 恒安嘉新(北京)科技股份公司 Method and device for remotely obtaining evidence of server, electronic equipment and storage medium
CN113239383A (en) * 2021-06-01 2021-08-10 北京华赛在线科技有限公司 File transfer processing method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
US11757740B2 (en) Aggregation of select network traffic statistics
CN111543038B (en) Network stream splicing using middleware stream splicing
CN103152352B (en) A kind of perfect information security forensics monitor method based on cloud computing environment and system
US10582027B2 (en) In-band metadata export and removal at intermediate nodes
US9473373B2 (en) Method and system for storing packet flows
US9305055B2 (en) Method and apparatus for analysing data packets
US9479405B1 (en) Transaction based network application signatures for text based protocols
KR100985237B1 (en) Packet routing via payload inspection for alert services, for digital content delivery and for quality of service management and caching with selective multicasting in a publish-subscribe network
US9210090B1 (en) Efficient storage and flexible retrieval of full packets captured from network traffic
CN112039904A (en) Network traffic analysis and file extraction system and method
CN104639512B (en) Network security method and equipment
FI127335B (en) Logging of data traffic in a computer network
Wei et al. Federated learning empowered end-edge-cloud cooperation for 5G HetNet security
WO2009143733A1 (en) Method for pulling network content and system thereof
CN111557087B (en) Discovery of intermediate devices using traffic stream concatenation
CN108287905A (en) A kind of extraction of network flow feature and storage method
CN105827629A (en) Software definition safety guiding device under cloud computing environment and implementation method thereof
CN108566377A (en) A kind of attack evidence collecting method, device and storage medium
CN110011830A (en) Communication topology information modeling method based on data on flows
CN102648604B (en) By means of the method for the descriptive metadata monitoring network traffic
CN104112228B (en) Supervision data collecting system and method for small-loan company
CN105897929A (en) Video monitoring data backup method and device
JP5225366B2 (en) E-mail relay device and e-mail relay method
CN111884883A (en) Quick auditing processing method for service interface
CN106656656A (en) Network device package capture method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180921